When a browser connects to a secure website, the webserver returns a list of SSL certificates to verify its authenticity. These SSL certificates are subjected to a number of tests by the browser. Only after all of the tests pass will the browser display the webpage to the user.
When the browser is unable to validate the SSL certificates given by the server, an SSL certificate error occurs. When an error occurs, the browser disables the page and alerts the user that the website cannot be trusted, as seen below. These warnings will erode the user’s faith in your website.
SSL certificate issues can occur for a number of reasons. The following are the most prevalent forms of SSL problems and how to avoid or correct them
Expired Certificate
This is the most typical reason for SSL certificate failures. This error indicates that the SSL certificate’s validity time has expired. Every certificate has a set time of validity. Certificates that are no longer valid will be rejected by the client. Validity durations are typically one year long. As a result, it is simple to forget to update the certificates before they expire.
This check is performed by the browser on all certificates in your chain (leaf, intermediate, and root) for expiration. You must ensure that both the leaf and intermediate certificates are not expired.
This can also happen if the browser machine’s clock is off.
Resolve: Replace your web server’s SSL certificates with fresh, valid certificates.
Inactive Certificate
When the browser obtains an SSL certificate whose validity term has not yet begun, the inactive certificate error occurs. Nowadays, it is usual to utilize a certificate manager to handle your server’s certificates. The manager will deploy the new certificates automatically, and their validity term will begin at the moment of deployment. If the client machine’s clock is 5 minutes behind owing to misconfiguration or other factors, the certificate will be rejected. This is especially typical in the case of API clients when the time on the client computer is out of sync.
Replace the SSL certificate with a fresh one that has a valid start time. Check if the client’s clock is in sync with the server’s.
Certificate lifetime greater than 398 days
CA/B Forum voted earlier this year to limit the duration of all freshly issued certificates to 398 days in order to provide a safe web environment for the user. All major browsers (Google Chrome, Mozilla Firefox, and Apple Safari) will refuse certificates issued after September 1st, 2020 that have a validity term of more than 398 days.
Replace the certificate with a fresh certificate that has a validity period of fewer than 398 days.
Missing Hostname
This issue indicates that the website’s hostname is missing from the certificate. To avoid man-in-the-middle attacks, the browser verifies that it is communicating with the proper server. The browser compares the website’s hostname to the list of hostnames included in the leaf certificate. If there is no match, the client will presume it is communicating with the incorrect server, reject the certificate, and terminate the connection. The hostname information is contained in the leaf certificate’s commonName and subjectAltName (SAN) fields.
Fix: When reusing a certificate across several websites or sub-domains, ensure that the certificates cover all of the websites’ domain names.
Invalid/Incomplete Certificate Chain
When the browser is unable to build a legitimate chain of trust between your browser’s certificates and the list of trusted root certificates, an invalid or incomplete certificate chain error occurs.
Every browser keeps a list of trusted root certificates on file. When the browser receives the certificates from the server, it begins the process of chaining your website certificates until it reaches any of the trusted root certificates. It will attempt to construct an SSL Chain of Trust — an ordered series of certificates that allow the browser to attest that the website’s server and the certificate authority are reliable. If the browser is unable to create the chain for your certificates, for example, owing to missing intermediate certificates, the certificates will be rejected.
Resolved: Deploy and configure your webserver to return the leaf certificate as well as all intermediate certificates.
Revoked Certificate
This issue occurs when any of your website’s leaf or intermediate certificates is revoked and appears in the list of revoked certificates.
Certificates that are compromised before they expire will be revoked by the certificate authority. The Certificate Revocation List is maintained by the Certificate Authority and contains a list of revoked certificates (CRL). When a webpage is loaded, the browser checks to see whether any of the certificates in the chain are in the CRL. The browser will reject your certificates if any of the certificates in your chain are found in the CRL. Each browser has a unique way of determining the revocation state of certificates.
To monitor the revocation status of your certificates, you must either query the CRL on a regular basis or utilize the Online Certificate Status Protocol (OCSP). These systems are tough to put in place.
Replace the revoked certificate with a fresh certificate to resolve the issue. Investigate the reason for the certificate revocation as well.
Untrusted Certificate Authority
This error indicates that the browser was unable to locate the root certificate in the locally trusted certificate storage. If the browser cannot identify any locally trusted root certificates while building the SSL Chain of Trust, it will not trust the server’s certificate. Because the browser cannot trust self-signed certificates, they will likewise create this problem.
Fix: If you wish to utilize a self-signed certificate on your website, manually add it to the browser’s trust store.
Insecure Signature Algorithm
When any of the SSL certificates supplied by your web server employs the old outdated SHA-1 hashing technique, the unsafe SSL warning occurs.
The strength of the hashing function used to sign the certificate is a significant factor in certificate security. Some older certificates use the SHA-1 hashing function, which is currently deemed unsafe. Websites having SHA-1 hashing signatures on their leaf and intermediate certificates are blocked by modern browsers.
Certificate authority no longer issue SHA-1 certificates. It is suggested that you obtain a fresh certificate if you have any servers running with SHA-1 certificates.
Missing/Incorrect Certificate Transparency Information
Certificate Transparency is a technique for detecting SSL certificates that have been issued incorrectly by a certificate authority or fraudulently obtained from an otherwise unimpeachable certificate authority. It also allows you to detect certificate authority that has gone rogue and are issuing certificates maliciously. When a certificate is issued, the certificate authority updates the certificate transparency log.
When a client connects, the server answers with the certificates and the certificate’s Signed Certificate Timestamp (SCT). SCT is the certificate’s record in the certificate transparency log. The browser will reject the certificate if SCT is absent or inaccurate.
ZOFixer.com security scan helps to find this vulnerability in your software and server, you can easily use it by registering on our website and activating the 30-day trial.